Sunday, June 17, 2018

Life After Law Enforcement: How to Prepare


I decided to delay the progression of the Life After Law Enforcement series since I was involved in an active hiring process and I didn’t want to provide any unfair advantage to candidates who read the upcoming “how to prepare” content in the series after others had actually put in resumes.  For example, I’m going to devote an entire blog post just to resumes alone and didn’t want to re-enact a scene from Patton where one candidate got to “read my book” while other candidates didn’t get to do that because they put in resumes before I got the post out.



Now that we’re past the resume intake process and the jobs aren’t posted anymore, I can fire off this next blog post.

One of the best bits of a career advice that I have received is to always prepare for the next job.  The “next job” might never be necessary, it might be an opportunity inside of the organization that you are already in, or it could be with an entirely new organization and even in an entirely new career field.  

One of the first steps in preparing for that next job is to define your goals for that post-law enforcement job. What do you consider your priority items? Is it working in a specific industry, a specific role, or even a specific geographical location?  Your goals will dictate the strategies and tactics that you use to prepare and obtain your next job.  You should be talking to those who have gone before you into the great wide world of the private sector to see what their experiences have been and what they can tell you about their jobs and organizations.  The better an idea that you have of the of what job you want and what its requirements are, the better you will be able to prepare.

Frankly, the most important strategy for job searching is networking.  Making connections with others will help you learn about the job market, how to prepare for specific jobs, and it will greatly increase your ability to land a job.  The age-old phrase, “It’s not what you know, it’s who you know” is partially true.  It’s both what you know and who you know that will lead to landing that shiny new job.  It’s not that you can’t get a good job by blindly firing a resume into a job posting (I’ve hired people that way many times during my career), but you have a much stronger possibility of success if you already have pre-established relationships in the organization you are trying to work for especially if it’s with the hiring manager or someone on that person’s team.

You should have a well-written, professionally reviewed resume. Period. I’ve been a hiring manager for over a decade now and I can tell you with metaphysical certitude that most people’s resumes are abject clown shows.  I swear most of the resumes I get are just a few steps above being written with crayon on unicorn stationary. I’ll leave that alone for now, but I’m going to devote an upcoming blog post in this series exclusively to resumes.

One of the best tools that you can have for your job search is a well-designed LinkedIn profile. Your profile should largely reflect your properly crafted and professional resume and you also have the option of also posting your resume on your LinkedIn profile. Your profile should include a professional looking picture because you have to assume that any hiring manager who is interested in hiring you is going to do at least a cursory social media search for you that will include your LinkedIn profile as one of their first stops.

Start searching LinkedIn and various other job sites for job postings and pay close attention to what skills are being sought after by employers. Do they require a college degree? Are there particular certifications that they require or are preferred? What technical skills are they calling out as being important to the position? The job postings are going to be giving you important roadmap on what employers want to see from candidates which will help guide you in your preparation.

If you are in this business, you probably have at least some basic open source intelligence skills. Time to start using that skill set to help land you a job. Find job postings that you find interesting and start doing your research using tools like LinkedIn on people inside of that organization so you can reach out to them and start making friends and collecting information.   The holy grail of this sort of research is figuring who the hiring manager is for active roles so that you can make contact with them.  Even if you aren’t ready to start applying right at the moment, it’s smart to make contacts and start learning what hiring managers want out of job applicants. 

One of your strategies should be creating a body of work that demonstrates what you are good at and passionate about. I know the phrase “personal brand” sounds silly, but there’s quite a bit of truth to it. Learning and contributing through methods such as Twitter, blogging, conference presentations, volunteering (like at your local BSides), and the like will go a long way in establishing yourself as someone an employer knows is passionate and capable.  You do not have to be doing cutting edge and highly technical content to be a contributor.  There are new people entering the digital forensics world all the time and having someone explain concepts to them in ways they can understand is immensely valuable. For example, there’s nothing wrong creating a well-crafted blog post or conference presentation that explains a known concept in a clear and concise manner. If you do want to delve into unique areas, look ahead a bit and see where you think the digital forensics world is going to need to up to speed quickly and where there isn’t much work being done.  That’s one of the reasons why I’m spending so much time and energy on blockchain investigations.  It’s a gap in our collective knowledge and it’s just really, really cool.

Another good idea is to get yourself a mentor who can help advise you through your career transition. Ideally, this would be someone who is a hiring manager in an organization or industry that you are targeting in your job search. This person can help be your Sherpa guide for your transition into life after law enforcement and might very well end up being someone who hires you. I’ve successfully mentored people who are looking to break into the industry and were successful in doing so.

The questions that I tend to get revolve around what skills are needed to land a job and be successful outside of law enforcement. In general, the answer to that question is a function of what sort of job that you are interested in.  This is why I recommend paying close attention to job postings even before someone is considering making application.  The job postings are going to answer those questions in that they will be telling applicants what the hiring organization is looking for in an applicant.  That said, one of the universal skills that I tell people to start shoring up quickly is learning anything and everything they can about computer networking.

When I left law enforcement, I knew quite a bit about operating systems, but not much at all about networking.  I filled that gap by studying for and passing the CompTIA Network+ exam as well as the Cisco CCNA and CCDA exams.  I even started passing exams for the CCNP certification. Through that process, I learned an immense amount about how computer networks worked and ended up being my organization’s VPN engineer along with doing digital forensics work in my first role in the private sector digital forensics world.  I also studied for and passed the CompTIA iNet+ (which is no longer offered), A+, and Linux+ exams.  I found that, at least for me, learning a skill knowing that I would have to pass a certification exam at the end of the process worked very well for me when it came to expanding my knowledge.  It was also nice to list a horde of certifications on my resume since human resources and some hiring managers like to see that sort of thing.

The other question I tend to get is what role a college degree should play in preparing for people who don’t already have one.  This one is a big tougher to answer so I’ll throw out the lawyerly answer of “It depends”. If you’ve got loads of marketable job skills and experience and you’re meeting or exceeding the requirements of the jobs that you are interested in pursuing, it may very well be a bad idea to spend all of the time and money doing a degree before getting hired somewhere especially if you are doing it while you have family obligations. However, in some depressingly stupid organizations even if you can get hired without a degree, it can be tough to get promoted without one which puts downward pressure on your career path.

I did my first graduate degree while I was working as a police officer and that was quite a bit of work.  I did my second graduate degree while I was working in the private sector running a global digital forensics team and having a family and that was nightmarish at times.  So, unless you are going to be obtaining marketable skills at a reasonable price through the degree process, it may not be a great idea. The trick is understanding that many degree programs are grossly overpriced relative to their value.  For example, going $80,000 in debt in your forties for a digital forensics degree is probably not going to make any sense.

One of the big problems with getting a degree is that the bachelor’s degree system here in the United States generally takes four years or more due to the general education requirements so you can find yourself later in life sitting in class (physically or virtually) taking Babylonian Astrology 101 when you really just want to increase your marketable job skills.  You can’t even think about doing a graduate degree chock full of technical goodness until you’ve banged out that undergraduate degree. 

Ireland to the rescue on that front.  University College Dublin offers a graduate degree in Forensic Computing & Cybercrime Investigation that does not require an undergraduate degree to enter the program if you have enough prior experience and training and can be done from the United States. This is the program that the mighty Cindy Murphy went through and I know others who have entered the program and think very highly of it. 

The primary takeaway from this blog post should be that the burden of preparing for and landing that next role is squarely on you. Not doing any research or preparation and blindly firing off a third-rate resume into random job postings is one of the worst ways you can go about this process.  The more you take control of the process through preparation and networking, the better your result will be.

Saturday, March 31, 2018

2018 National Cyber Crime Conference

Just a quick blog post to let people know that I'll be speaking at the 2018 National Cyber Crime Conference in Boston next month. I'll be doing multiple sessions on virtual currency which has been one of my favorite computer crime related topics these days. 

I have quite a few more speaking engagements in the works this year and I think they're all going to be virtually currency related based on what I'm seeing so far.  Everyone is trying to get caught up on this in the law enforcement world and I'm fortunate enough to have a background in law enforcement, digital forensics, and economic crime so I've been well positioned to tackle this topic.

I also have a couple AFoD blog interviews underway now that the readership metrics are back enough to where I can justify someone spending the time doing one with me.

Lastly, I'm still working on the next installation of the Life After Law Enforcement series which I'm hoping to get out in the next month or so.

Sunday, March 4, 2018

Life After Law Enforcement: Life In The Fast Lane


The first part of our Life After Law Enforcement series talked about the decision to leave. In this installment, I’ll compare and contrast life in the consulting world versus the corporate world. Before I do that, however, it’s important to discuss a couple concepts that drive the differences between life in the public sector and the private sector.

One of the biggest differences is there is virtually no unionization in the private digital forensics world. At least here in the United States, most law enforcement jobs are going to be unionized civil service positions.  This means that the relationship between the government entity and the employee is doing to be defined by a collective bargaining agreement. Even if an officer isn’t covered under a collective bargaining agreement, they’re almost certainly going to be under some sort of civil service type protection.

This means that there is much more job security compared to the private world in that you can be thoroughly mediocre, but unless you are really screwing up in a well-documented way, you get to keep your job. It also means that your compensation is largely just a function of how long you’ve managed to stick around rather than how much value you add to the organization.

Not so much in the private sector, where your job security and compensation will be primarily a function of the value that you provide your employer rather than how long you’ve managed to go without egregiously screwing up.  You’ll certainly see your fair share of mediocre people in the private sector, but they tend to have stagnant career paths and they’re the first people out the door when a re-organization comes or revenues are down. Since collective bargaining and civil service generally aren’t in play in the private digital forensics world, your relationship with your employer is going to be individual rather than collective and revolves around the value you provide. 

This is very good news for people who are motivated and want to excel. One of the reasons I left law enforcement early in my career is that I recognized that no matter how good I was at my job, my career path and compensation would largely be a function of time rather than talent.  This is very bad news for someone who just wants to do the minimum and punch a clock.

Another important difference is that many private sector digital forensics jobs will put you in the position where you are a necessary evil to the organization rather than someone driving the primary mission of the organization.  Law enforcement agencies are put upon this earth to put bad people behind bars.  Whether it’s a police officer in patrol car arresting baddies or a digital forensics detective putting some evil wretch in prison until shortly after mammals are extinct because of something they did to some child, police officers are primary people advancing the goal of that agency. 

In the private sector, unless you are in a consulting type position, digital forensics people are a necessary evil to an organization and are the dreaded indirect spend. Direct spend is spending that is aligned with delivering a product or service to a customer. Indirect spend is everything else.  Spending money to create and staff a manufacturing line to build cars that are then sold to customers is direct spend. Spending money on information security people to keep that manufacturing line from getting hacked and stopped is indirect spend.  Indirect spend is important to an organization, but it’s a big fat juicy target for cutting costs and increasing profits. The closer you are to impacting the profit and loss of an organization, the more important you are. The more important you are to an organization, the more you will be paid, the better your promotion chances, and the better your job security.

There are some similarities in that large bureaucracies whether they are public or private tend to follow the late Jerry Pournelle’s Iron Law of Bureaucracy more often than anyone would like to admit. I’ll just quote directly from the Jerry Pournelle website when it comes to explaining this:  

Pournelle's Iron Law of Bureaucracy states that in any bureaucratic organization there will be two kinds of people":

 First, there will be those who are devoted to the goals of the organization. Examples are dedicated classroom teachers in an educational bureaucracy, many of the engineers and launch technicians and scientists at NASA, even some agricultural scientists and advisors in the former Soviet Union collective farming administration.

Secondly, there will be those dedicated to the organization itself. Examples are many of the administrators in the education system, many professors of education, many teachers union officials, much of the NASA headquarters staff, etc.

The Iron Law states that in every case the second group will gain and keep control of the organization. It will write the rules, and control promotions within the organization.

The good news is that this isn’t as universal as the name Iron Law would imply.  I’ve worked for organizations where the first group of people ran the show and the health, effectiveness, and morale of the organization reflected that. The organization I work for right now is one where the Iron Law doesn’t even remotely apply, but I’ve gotten to know the Iron Law of Bureaucracy all too well during various periods of my career.

Let’s add another common element in private sector life into all of this and that’s organizational change.  I’ve long since lost track of how many reorganizations I’ve lived through in the private sector, but it’s a constant part of life in large private organizations.  About the time you get comfortable with an organizational structure, someone will come along and blow it up.  Change is such a constant in the private sector that top business schools like can demand wheelbarrows of cash offering training in organizational change management.

One of the primary drivers of organizational change are changing business conditions.  Markets are dynamic so organizations have to adjust their products, services, and how they operate to adjust to changing market conditions.  As organizations change, the security portion of the organizations have to change to continue to securely enable business operations.  Security leaders who can’t manage change and keep up with the business leaders don’t last very long.  And when they get whacked you can expect another reorganization.

This brings up another potential driver of organizational change and that’s the Ides of March.  Politics are part of any organization whether they are public or private, but in the private sector, the stakes can be very high because of the amount of money involved especially if an organization is highly profitable.  There is quite a bit of careerism in the private world.  I define a careerist as someone who puts their own career goals ahead of the needs of the organization or their people. They’re an odious fact of life in the private sector.  They exist in the public sector, but union rules and civil service protections blunt the impact that they can have on individuals in an organization.

Executive political life can be pretty…staby in the private sector, but the rewards can be great especially when you factor in that successful security executives in large organizations can make over a million dollars a year in compensation. In many cases, you will have reorganizations that have no real functional purpose, but have everything to do with palace intrigue and who got knifed on some senate steps.

So why am I telling you this? Because with change comes both peril and opportunity. If you play your cards right in knowing how to obtain and retain power in organizations, there could be new opportunities during a reorganization to advance your career as new teams are created, new positions are created, or even more money floating around for things like training or tuition assistance.  In security organizations, one of the best times for funding can be after a major breach when the senior executives (and they may be the new ones that just replaced the now fired ones) are scared straight and start throwing immense amounts of money at the security organization.

Power in organizations translates not only to career progression and increased rewards, but also to survival. While you certainly can gain power by moving up the organizational ladder and increasing your influence and responsibilities, you can also gain power by the value you add to an organization through your individual abilities.  Some of the most powerful people in a security organization are the individual contributors who have skills that are mission critical and hard to replace. 

The more value you add to an organization, the more power you have to influence things around you, the greater your rewards, and the less you have to worry about job security. The less valuable you are to an organization, the less power that you have which harms your ability to change things around you, your compensation, and your job security.  The less value you add to an organization, the greater your risk during one of the inevitable reorganizations or if your organization hits hard economic times.  It’s not the highly skilled individual contributors who are going to be marked for termination when costs have to be cut in an organization or the inevitable next reorganization comes along.

Let’s talk about two broad categories of private sector jobs.  The first I’ll talk about is the consulting world and then I’ll address corporate life.  I’m not going to directly talk about non-profit type organizations like where I work now because depending on how they are structured they can essentially act as a government organization or they can feel more like consulting or corporate. It depends on how their mission, funding, and management.

Let’s start with consulting.  Consulting can be an immensely rewarding experience that can greatly increases your knowledge, job satisfaction, and value or be a joyless dystopian hellscape where the living envy the dead not.  I’ve seen a couple golden eras of consulting during my time in the industry.  The first was the eDiscovery golden age that started roughly near the year 2000 and ended, the best I can tell, about the time of the financial crisis.  During this time, eDiscovery consulting organizations where shaking down corporations and law firms for confiscatory prices for providing eDiscovery services.  There were countless eDiscovery consulting firms spread across the land and they were desperate for consultants who they could put into the field and their labs so that they could crank out as many billable hours as they could get away with.  Life as a consultant during this time involved burning an immense number of hours traveling and collecting mountains of data.  The data was then brought back to some lab somewhere and either the same consultants or different consultants then processed and hosted the data for attorney review.   Since the primary billing model was consultant hours, consultants were basically just another commodity to be used up.  I saw a lot of burn out during this era and more than a few very unhappy police officers enter this space thinking they were going to be doing interesting digital forensics analytical work and catching bad guys when all they were doing was just endless grunt work slinging data around from one place to another.  If you were an eDisco manager during this era, your life was constant pressure to make sales goals, making sure your faceless commodities consultants were being fully utilized for billing purposes, and plenty of stuff that had nothing to do with chasing bad guys and solving digital forensics mysteries.

The golden age of eDiscovery went bust because the industry overplayed its hand and their customers starting to bring those services inside of their organizations. The result was quite a few of these consulting firms going out of business or being purchased by larger consulting firms that were better diversified and positioned to survive the bust. I also think the legal system generally just responded negatively to the high costs and how things were being done. Cost containment started to be a big deal in the legal world since even in an adversarial legal system everyone could see that the consultants were saddling up their customers and taking them for a very expensive ride. 

Another thing that really hurt the eDiscovery industry was the rise of the golden age of cyber security consulting that continues to this day.  The eDisco consulting industry faced increasing pressure from the cyber security consulting world for talent and customer money.  This golden area of cyber security consulting has been partially a response to the near impossibility of defending networks from persistent skilled attackers.  There have been legions of high-profile breaches and the rise of public disclosure laws has meant that many of these incidents end up in headlines that result in great financial loss, embarrassment, and senior executive careers coming to an end.  This has provided powerful incentive for organizations to greatly increase their cyber security capabilities which lead to an immense amount of money being thrown at cyber security consulting firms.

This golden age is meat on the table of enterprising and skilled law enforcement officers who are looking for their second career.  There are countless consulting firms who are looking for talented people to come help them serve their customers both by offering proactive services such as penetration testing and threat intelligence and reactive services such as helping them detect, respond, and remediate incidents.  Some of these firms are going to be nightmares to work for where your life will be similar to what I described above, but many others have learned that retaining critical talent requires providing a reasonable work-life balance, rewarding work, and a career path. 

This gets back into the point I made earlier about the more power you have in an organization, the more you can influence you have about the world around you.  One of the things I learned as a police officer is that trauma comes from lack of control. A great way to have a traumatic consulting experience is to have minimal technical skills and to land in a job where you’re traveling nearly constantly doing low-skilled grunt work.  The best way to have a rewarding consulting experience is to have in-demand job skills (and a security clearance is worth crazy bonus points in this space) where you are being used for high-end work that your employer can charge near-confiscatory prices to customers.

Which gets us to life in the corporate world.  In the consulting world, you’re generally going to be direct spend which means the money an organization puts into you is directly involved with the service that is being provided to a customer.  In the corporate world, you’re indirect spend.  You’re a necessary evil when the money that is spent on you doesn’t involve making or selling a product or service to a customer.  That’s the bad news.  The good news is that because we’re in this golden age of cyber security, corporations are just fine (for now) with this sort of indirect spending. I spent most of my career building and leading high-performance digital forensics and incident response teams for a couple Fortune 100 enterprises.  Landing on one of these teams can be a very rewarding experience as long as you do your homework and find a team and organization that is a good fit for your skills and temperament. 

Corporate digital forensics jobs can take several different forms but the primary tasks that you’ll see in the corporate world are also the same that are being offered up in the consulting world such as eDiscovery, threat intelligence, incident response, security operations, digital forensics, malware analysis, and the like.  That which is necessary in the cyber security world is either going to be brought in internally (which creates corporate positions) or purchased externally (which creates consulting positions) or a combination of both. 

Life in the corporate world will be more predictable that in the consulting world since corporate jobs tend to be more of a normal business offer hour situation with nights and weekends as necessary when things get busy.  There are some exceptions such as corporations that have 24/7 security operations centers that require shift work.  I don’t see too many people from the law enforcement world doing security operations shiftwork, but that isn’t to say that it can’t happen and those security operations roles can be very rewarding and educational.  I’ve seen many people start in security operation centers and used that time to build a skillset that led to very rewarding career paths.

I think one of the biggest shocks for law enforcement people going into the private sector is the concept that you are now a salaried employee and there is rarely such a thing as overtime or compensation time.  You’re expected to get your work done and that frequently involves working over 40 hours a week to do that.  You are also now competing with other people in your organization.  Remember what I said earlier about gaining power in an organization.  Having a reputation as someone who just does the minimum is a great way to undermine your corporate career even if you are a highly skilled person.  A good attitude and a strong work ethic will go a long way in the private world.

There is also another aspect of the private sector which is going out on your own and starting up your own business.  Frankly, this is one of the areas where I have the least amount of experience with and I think the best way to handle this will be for me to just pester someone to do an interview here on the blog.  If you have any suggestions on who you might want to see interviewed, let me know.

I’m at about 3,000 words on this blog post and I think I’ve covered a decent overview of life on the private side. I’ll still continue to address some specifics as the series progresses especially in the next blog post where I talk about what you should be doing as a law enforcement officer to prepare for life on the private side.